PCI DSS Compliance in the UK

Last updated Tuesday, October 12, 2021
PCI DSS Compliance in the UK

According to Verizon’s most recent Payment Security Report, only 27.9% of global businesses are PCI DSS compliant.

Did you know? If you handle payment card information, you need to comply with the PCI DSS standard in the UK.

Let’s take a look at what the standard is, what it covers and how you can become compliant.

 

#1 PCI DSS Fundamentals

In this chapter, we'll take a look at:

What is PCI DSS compliance in the UK?

PCI DSS stands for Payment Card Industry Data Security Standard (Now there’s a mouthful 😁).

It is an information security standard designed to:

  • Protect cardholders’ information
  • Prevent payment-card fraud
  • Allow people to shop safely and with confidence

PCI DSS was originally developed through a collaboration between the five leading payment brands:

  • American Express
  • Discover
  • JCB
  • MasterCard
  • Visa

It’s now managed by the by the PCI SSC (Payment Card Industry Security Standards Council).

Why do I need to be PCI DSS compliant?

Payment-card fraud is a serious problem.

According to the most recent UK Finance report, unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £783.8 million in 2020.

You will need to be PCI DSS compliant for the following reasons:

  • Handle customer money securely
  • Prevent identity theft
  • Prevent fines
  • Trust in your business
  • Compliance

So PCI DSS compliance is definitely something worth getting right first time.

#2 PCI DSS Glossary of Terms

PCI DSS compliance involves a lot of specialised terms and acronyms.

Here’s a quick guide to get you up to speed:

Acronym

What it stands for

What it means

PCI

Payment Card Industry

The firms involved in taking card payments

PCI DSS

Payment Card Industry Data Security Standard

An information security standard to protect cardholders’ data when they shop

PCI SSC

Payment Card Industry Security Standards Council

The body that manages PCI DSS and authorises ISAs

ASV

Approved Scanning Vendor

ASV

ISA

Internal Security Assessor

An organisation whose employees have been trained in PCS DSS by the PCI SSC

QSA

Qualified Security Assessor

An independent organisation that has been approved to check for PCI DSS compliance

SAQ

Self-Assessment Questionnaire

A questionnaire that merchants can use to check their own compliance with PCI DSS

RoC

Report on Compliance

A document with detailed results from a PCI DSS assessment – usually one carried out by a QSA during an audit. All Level 1 merchants (see below) must complete an RoC

AoC

Attestation of Compliance

A form that you complete and submit with your SAQ to confirm that you are eligible to carry out self-assessment, and that you have done so. You also submit an AoC along with an RoC

Merchant

 

A merchant represents a person or company that sells goods or services.

PSP

Payment Service Provider

Are third parties that help merchants accept payments.

Do I have to comply with the PCI DSS?

All merchants and PSPs who process, transmit or store cardholder data must comply with PCI DSS.

That means you need to comply with the PCI DSS if you:

  • Take card payments online through an ecommerce website
  • Take card payments in person using a card reader or contactless payments – for example, in a shop or restaurant
  • Take card payments over the phone, using the details provided by the cardholder

You also have to comply with the PCI DSS if you process payments or handle payment data on behalf of someone else.

If you do this, you are known as a PSP (Payment Service Provider).

Some businesses can be both a merchant and PSP at the same time.

How many requirements are needed to become PCI compliant?

There are a total of 12 steps that you need to take to become PCI compliant, divided into 6 goals.

They are:

#1 Build and maintain a secure network and systems

  • Install and maintain a firewall configuration to protect cardholder data, and test it regularly
  • Do not use vendor-supplied defaults for system passwords and other security parameters. Change them as soon as you can and update them frequently

#2 Protect cardholder data

  • Protect stored cardholder data. Only store what you absolutely need to, and keep it safe both digitally (through backups, passwords and access control) and physically (through limiting access to your server)
  • Encrypt transmission of cardholder data across open, public networks, so nobody can read it in transit

#3 Maintain a vulnerability management program

  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications, so you stay one step ahead of potential problems

#4 Implement strong access control measures

  • Restrict access to cardholder data to those who genuinely need to know it
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data

#5 Monitor and test networks regularly

  • Track and monitor all access to network resources and cardholder data
  • Test security systems and processes regularly

#6 Maintain an information security policy

  • Maintain a policy that addresses information security for all personnel

Each of these steps helps to reduce your risk of data loss or fraud.

You can read the full requirements for PCI DSS at the PCI SSC’s website.

What happens if you don't comply with PCI DSS?

If you aren’t compliant and there’s a breach of the standard, your payment provider can impose a fine on your bank.

For their part, the bank may:

  • Pass the fine on to you
  • Refuse to accept card payments from you
  • Close your bank account altogether

Suffered a breach and want to carry on taking card payments:

You’ll have to meet Level 1 requirements from then on, regardless of how many transactions you process.

Got fined and still can’t prove your compliance:

You may face further fines until you take the necessary steps.

For larger firms, the fines can add up to as much as £80,000.

Is PCI DSS compliance mandatory in the UK?

PCI DSS is a standard rather than a law.

It’s enforced through contracts between:

  • Merchants
  • The banks who process payment
  • The major payment companies

However, that doesn’t mean that you can relax about PCI DSS, or put it off until later.

The risks of non-compliance can be very serious.

Even endangering your ENTIRE business.

If you suffered a breach, you would lose trust.

This includes trust from your bank and your customers.

While you might be able to afford the fine, you might never get back your reputation.

More importantly:

Nobody wants to be known as a firm that can’t be trusted to look after sensitive data.

To make things more interesting:

Allowing cardholders’ data to be lost or stolen is a breach of the EU GDPR (General Data Protection Regulation).

This covers consumers’ rights over their data, including payment data.

A version of this law, known as UK GDPR, still applies.

The penalties for GDPR data breaches are severe:

Up to €20m (£17m) or 4% of your turnover.

 

💳 Need advice on PCI DSS ComplianceFeel free to get in touch.

What are the PCI DSS compliance levels for merchants?

Not all merchants have to reach the same standards in order to comply with PCI DSS.

There are 4 levels of validation:

1 (Highest) to 4 (Lowest).

The level you must comply with depends on how many transactions you process per year.

For each level, there are different tasks that you must carry out every year in order to stay validated.

The table below shows the full details.

For the meaning of terms and abbreviations used here, see the Glossary of Terms above.

Level 1

Transactions processed per year:

6M+ (or if your data has previously been compromised)

Validation requirements:

  • RoC carried out by a QSA or ISA
  • Quarterly scan of external vulnerabilities by an ASV

Level 2

Transactions processed per year:

1M-6M

Validation requirements:

  • RoC by a QSA, or an SAQ signed by an officer of the company
  • Quarterly scan by an ASV

Level 3

Transactions processed per year:

20k-1M

Validation requirements:

  • SAQ signed by an officer of the company
  • Quarterly scan by an ASV (once the SAQ has been done)

Level 4

Transactions processed per year:

Under 20k

Validation requirements:

  • SAQ signed by an officer of the company
  • Quarterly scan by an ASV (once the SAQ has been done)

How do I become PCI DSS compliant in the UK?

#1 Determine Validation Level

Determine which level of validation you need to achieve.

Base this on the number of transactions you plan to process within a year.

#2 Gap Analysis

Carry out a gap analysis to work out what you need to do in order to become compliant.

In other words:

  • Look at where you are now
  • Determine where you need to be
  • Consider how to bridge the gap between them

#3 Report on Compliance (RoC)

Do you need a Report on Compliance (RoC)?

Contact a QSA and ask them to prepare it for you.

#4 Scan for Vulnerabilities

Do you need to scan for vulnerabilities?

Contact an ASV.

To simplify the process, contact businesses that fulfil both #3 and #4.

#5 Self-Assessment Questionnaire (SAQ)

Do you need to complete an SAQ?

There are 9 questionnaires available.

Each one is aimed at businesses with different payment setups.

Work out which one is applicable to your business, download it and complete it.

How much does it cost to become PCI compliant in the UK?

The cost of becoming PCI compliant varies depending on the level of validation you need.

You may even be compliant with the standard already!

Or you may need to make some changes to the way you handle data and take payments.

Most notably:

PCI compliance is not just a one-off task.

You’ll probably have some recurring tasks that you need to keep performing to make sure you stay compliant.

The main costs are likely to be:

  • Paying PSPs to help you with assessments or support
  • Upgrading technology – for example, by installing anti-virus software
  • Buying new equipment such as a paper shredder
  • Maintaining compliance – for example, by training your staff.

On top of that:

PCI needs careful management.

It will take up some of your time as a manager, or that of your IT team.

 

Now we’d like to hear from you:

Do you handle card payments? Are you PCI DSS compliant?

Perhaps you need some assistance in becoming PCI DSS compliant?

Let us know your thoughts.

 

Like what your reading?

Be the first to find out news about compliance and cyber security.

Manage Cookies